The leaks at Palantir might not be connected to a single source, but rather a cultural issue, and thus multiple leaks. Having the special talent to track down hacking threats and actively patch problems is different from the ability to wonder whether your next information release is going to be leaked through non-technical means.

Finding the leak is going to involve assigning different truths to different individuals (like what Hollywood does with film previews), which will itself lead to more cultural issues.

No company finds leaks that way (assigning different truths). Finding leaks is a matter of looking to see who accessed which documents.

If a company sends out communication to a group of authorized employees, then presumably they all accessed the documents -- as they should have. In the case of a security test, presumably many people were made aware so that they could improve their security.

Who among those employees leaked?

You can only know by access if that information was sufficiently isolating or unique.

Not only a disgruntled employee, but also there must be an unusual motivation for the journalist/media organization.

Like you said, it's completely counterproductive and, I believe, actually not news to publish the results of an old red-team test without any information about what has been mitigated since.

Surprised nobody has mentioned yet that the company was founded by Peter Thiel, who is becoming a uniquely objectionable individual these days and has every reason to draw the intense scrutiny of investigative online media outlets.

It's buzzfeed, they go for what gets pageviews. He found an internal source that's handing him info on a silver platter for whatever reason, I doubt there's a huge motive behind this besides more ad revenue.

And breaking a story? A lot of people hate Palantir for what they do and for what they stand for, and this is a powerful way of opposing them.

Surely it was the company who performed the pentest. It's the best publicity they can get.

'Look at how great we are at finding security vulnerabilities. Almost matched by our utter lack of discretion and confidentiality!'

Hardly a good advert. I would have thought a pen testing firm would make client confidentiality an extremely high priority.

My guess is a Palantir employee who feels that due to the volume and nature of the data they handle that it needs to publicly known their security isn't up to scratch.

Well, I mean the whole point of confidentially leaking is to get something out there without having to put your name on it. This is a great advert for them no matter who leaked it, make no mistake about that.

These guys get better PR by their reputation. They know what clients they want, so they can target them directly. Buzzfeed giving them positive PR is almost negligible in its impact.

Meanwhile, if it came out that they leaked a pen test report, it would literally destroy their company. All their current clients would ditch them, they'd get sued into oblivion, and no one would trust the senior people there in the industry ever again. Would be a very dumb suicidal publicity stunt.

> Surely it was the company who performed the pentest.

Not a chance. Maybe an employee of that company did it who doesn't like Palantir but the company doing the pentests doing this on purpose is not on the table.

The upside does not begin to counter the downside (such as not having a company any more).

But you can bet they're digging very fanatically right now to figure out where the leak is.

I would imagine that if even one such incident were to occur this way, it would severely limit future business opportunities.

Or someone penetrated the pentesters

Funnily enough, I just had a reminder go off to check for your financial osint paper. Awesome interview on risky business.